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Abstract. We provide new hash functions into (hyper)elliptic curves over finite fields. These 
functions aims at instantiating in a secure manner cryptographic protocols where we need to 
map strings into points on algebraic curves, typically user identities into public keys in pairing- 
based IBE schemes. 

Contrasting with recent Icart's encoding, we start from "easy to solve by radicals" polyno- 
mials in order to obtain models of curves which in turn can be deterministically "algebraically 
parameterized". As a result, we obtain a low degree encoding map for Hessian elliptic curves, 
r*0 ■ and for the first time, hashing functions for genus 2 curves. More generally we present for any 

genus (more narrowed) families of hyperelliptic curves with this property. 

The image of these encodings is large enough to be "weak" encodings in the sense of Brier 
et al., and so they can be easily turned into admissible cryptographic encodings. 

deterministic encoding, elliptic curves, Galois theory, hyperelliptic curves 
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1. Introduction 



Many asymmetric cryptographic mechanisms are based on the difficulty of the discrete log- 
arithm problem in finite groups. Among these groups, algebraic curves on finite fields are of 
r/j | high interest because of the small size of keys needed to achieve good security. Nonetheless it 

, ^, ' is less easy to encode a message into an element of the group. 

Let ¥ q be a finite field of odd characteristic p, and H/¥ q : y 2 = f(x) where degf = d be an 
elliptic (if d = 3 or 4) or hyperelliptic (if d ^ 5) curve, we consider the problem of computing 
points on H in deterministic polynomial time. In cryptographic applications, computing a 
I/" - ) | point on a (hyper)elliptic curve is a prerequisite for encoding a message into its Jacobian group. 

In this regard, pairing-based cryptosystems do not make exception. Boneh-Franklin Identity- 
Based Encryption scheme [3] requires for instance to associate to any user identity a point on 
IQ | an elliptic curve. 

In the case of elliptic curves, we may remark that it is enough to compute one rational point 
G, since we can have other points tG from integers t (at least if G is of large enough order). 
To compute such a G, one might test random elements x & ¥ q until f{x) is a square. But 
without assuming GRH, we have no guarantee of finding a suitable x after a small enough 
number of attempts, and none deterministic algorithm is known for computing square roots 
when p = 1 mod 4. Moreover, encoding t into tG voids the security of many cryptographic 
protocols [10]. 

Maybe a more serious attempt in this direction for odd degrees d is due to Atkin and 
Morain [1]. They remark that if xq is any element of ¥ q and A = f(xo), then the point 
(Axo, A' "+ 1 )/ 2 ) ig on the curve Y 2 = A f(X/X). But again, the latter can be either isomorphic 
to the curve or its quadratic twist, following that A is a quadratic residue or not, and we have 
no way to control this in deterministic time. 

In 2006, Shallue and Woestjine [13] proposed the first practical deterministic algorithm to 
encode points into an elliptic curve, quickly generalized by Ulas [14] to the family of hyperelliptic 
curves defined by y 2 = x n + ax + b or y 2 = x n + ax 2 + bx. Icart proposed in 2009 another 
deterministic encoding for elliptic curves, of complexity C(log + °^ ' q), provided that the cubic 
root function, inverse of x i— >• x 3 on F* is a group automorphism. This turns into q = 2 mod 3. 
This encoding uses Cardano-Tartaglia's formulae to parameterize the points (x : y : 1) on any 
elliptic curve E : x 3 + ax + b = y 2 . 
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In this paper, we propose a strategy for finding other families with such properties (Sec- 
tion 2). As an example, we first show how the strategy works for genus 1 curves and come to 
a new encoding map for Hessian elliptic curves (Section 3.1). We then study more carefully 
genus 2 curves and exhibit several large families (Section 3.2). Finally for all genus g ^ 2, we 
propose families of hyperelliptic curves which admit an efficient deterministic encoding function 
(Section 4), provided some conditions on q (typically q = 2 mod 3 and q coprime to 2g + 1). 

Remark 1.1. In the paper, we use indifferently the words "parameterization" or "encoding", 
even if, strictly speaking, we do not have fully parameterized curves. We are aware that these 
maps are at least improperly parameterizations since there might correspond more than one 
parameter to one point. There are numerous points which lie outside the image of our maps 
too. 

Remark 1.2. Each of our encodings is a weak encodings in the sense of [6]. Combined with a 
cryptographic hash function, we can thus construct hash functions into the set of rational points 
of these curves that are indifferentiable from a random oracle. 

2. A STRATEGY 

Given a genus g, we describe a basic strategy for finding curves of genus g which admit a 
deterministic encoding for a large subset of their points. 

It's worth noting first that only genus curves are rationally parameterizable. That is, 
any curve which admits a rational parameterization shall be a conic, see [12, Theorem 4.11]. 
Encoding maps into higher genus curves shall thus be algebraic. We are then reduced to the 
parameterization of roots of polynomials. Hence, the main idea of our general strategy is to 
start from polynomials with roots which are easily parameterizable and then deduce curves with 
deterministic encoding. 

2.1. Solvable Polynomials. Classical Galois theory offers a large family of polynomials with 
easily parameterized roots: polynomials with roots that can be written as radicals, which are 
polynomials with solvable Galois group. Our strategy is based on these polynomials. 

More precisely, let f a {X) be a family of parameterized polynomials (where a denotes a k- 
tuple (oi, a,2, ■ ■ • , afc) of parameters) with solvable Galois group. We are interested in such 
parametric polynomials but also in the parametric radical expression of their roots Xa- For 
instance Ja{X) = X 2 + A in degree 2, or more interestingly /^^(A) = A 3 + AX + B in 
degree 3, are such polynomials with simple radical formulae for their roots. The former verifies 
XA = V~A and a root of the second one is given by the well-known Cardano-Tartaglia's formulae 
(see [8]). The application of our general strategy to this family of degree 3 polynomials with 
the parameterization of its roots is described in Section 3. 

Let us note that we might use the classical field machinery to construct new solvable poly- 
nomials from smaller ones. Look for instance at De Moivre's polynomials of degree d: we start 
from the degree 2 field extension 9 2 + BO — A d , followed by the degree d Kiimmer extension 
7 rf — 9 = 0. Then the element X = 7 — A/y is defined in a degree d subfield of the degree 2d 
extension. The defining polynomial of this extension is given by the minimal polynomial of A, 
which is equal to the De Moivre's polynomial, 

X d + dAX d ~ 2 + 2dA 2 X d - 4 + 3dA 3 X d - 6 + ■■■ + 2dA^ d - 1) / 2 - 1 X 3 + dA^' 1 ^ 2 X + B . 

A more straightforward similar construction is to consider Kiimmer extensions over quadratic 
(or small degree) extensions, which yields X 2d + AX d + B . From these two specific families of 
solvable polynomials, we provide, in Section 4.1 and 4.2, hyperelliptic curves for all genus g ^ 2 
which admit an efficient deterministic encoding function. 

2.2. Rational and deterministic parameterizations. Given a parameterized family of solv- 
able polynomial /j(A), and a genus g, we now substitute a rational fraction Fi(Y) in some 
variable Y for each parameter a^ in a. 
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Let F(X) denote the /c-tuples of rational fractions (Fx(Y),F2(Y), . . . ,F^(Y)). The equation 
fp(Y)(X) now defines a plane algebraic curve C, with variables (X,Y). The largest are the 
degrees in Y of F_(Y) the largest is (generically) the genus of C. So if we target some fixed 
genus g for C, only few degrees for the numerators and denominators of F_(Y) can occur. Since 
we can consider coefficients of these rational fractions as parameters a = (ax, ■ ■ ■ , ay), this yields 
a family of curves Ca. 

Less easily, it remains then to determine among these F_(Y) the ones which yield roots Xf(y) 
which can be computed in deterministic time. The easiest case is probably when no square root 
occurs in the computation of xt, since then any choice for F_(Y) will work, at the expense on 
some constraint on the finite field. But this is usually not the case, and we might try instead 
to link these square roots to some algebraic parameterization of an auxiliary algebraic curve 

2.3. Minimal Models. In some case (typically hyperelliptic curves), it is worth to derive from 
the equation for C a a minimal model (typically of the form y 2 = g a (x)). In order to still have a 
deterministic encoding with the minimal model, we need explicit birational maps x = A a (X, Y), 
y = Q a (X, Y) too. For hyperelliptic curves, the usual way for this is to work with homomorphic 
differentials defined by C a . This method is implemented in several computer algebra systems, 
for instance MAPLE [11] or MAGMA [5]. All in all, we obtain the following encoding for a 
minimal model g a : 

• Fix some Y as a (non-rational) function of some parameter t so that all the square roots 
are well defined in Xf(y) > 

• Compute X = Xf(y) > 

• Compute x = Aa(X, Y) and y = Qa(X, Y) . 

2.4. Cryptographic applications. Once we will have found an encoding, it is important for 
cryptographic applications to study the cardinality of the subset of the curve that we parame- 
terize. This ensures that we obtain convenient weak encodings for hashing into curves primitives 
(see [6]). 

We also need to know in advance which values of ¥ q cannot be encoded using such functions, 
in order to deterministically handle such cases. In the genus 1 as in other sections of our paper, 
this subset is always quite small considered to cryptographic sizes (at most several hundred 
elements) and it depends only on the once and for all fixed curve parameters, therefore it can be 
taken into account and handled appropriately when setting up the cryptosystem. Furthermore, 
cryptographic encodings of [6] make a heavy use of hash functions onto the finite field before 
encoding on the curve; the output of the hash function can then be encoded with overwhelming 
probability. 

In the degree 3 examples given below, as in the higher genus family given in Section 4.2, 
we always will be able to deduce from the encoding formulae (sometimes after some resultant 
computations), a polynomial relation P a (Y,t) between any Y of a point of the image and 
its preimages. Then the number of possible preimages is at most the t-degree of P a (Y,t). 
Factorizing P a (Y,t) over ¥ q gives then precisely the number of preimages. 

We detail this process for the genus 1 application of our method in Section 3.1.2 and sketch 
how to obtain such a polynomial in other sections. 

3. Degree 3 polynomials 

In this section, we consider degree 3 polynomials. After easy changes of variables, any cubic 
can be written in its "depressed form" A 3 + 3 A X + 2B, one root of which is 

A 



xa,b = V-b + Vaz + b 2 



-B + VA 3 + B 2 



In order to make use of this root while avoiding square roots, aiming at (non-rationally) param- 
eterizing curves of positive genus, we first restrict to finite fields ¥ q with q odd and q = 2 mod 3, 
so that computing cubic roots can be done thanks to a deterministic exponentiation to the e-th 
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power, e = 1/3 mod q — 1. We then need to consider rational fractions A and B in Y such that 
the curve A(Y) + B(Y) — Z 2 can be parameterized too. 

For non-zero A, let A(Y) = T(Y) for some T and .B(y) = T(Y)S(Y) for some S 1 , this problem 
is then the same as parameterizing the curve 

(3.1) T{Y) + S 2 {Y) = Z 2 . 

This can be done with rational formulae when this curve is of genus 0, or with non-rational 
Icart's formulae when this curve is of genus 1. In the case of irreducible plane curves, this means 
that T and S are of low degree. Instead of parameterizing an auxiliary curve, we could have 
directly chosen T and S such that T(Y) + S(Y) 2 = Z(Y) 2 for some rational function Z. With 
comparable degrees for T and S as in the rest of the section, we obtain only genus curves. 
Thus we have to greatly increase the degree of S and T in order to get higher genus curves. 
Those curves then have high degree but small genus: they have many singularities. 

So, we finally consider in the following degree 3 equations of the form 



(3.2) 



X 3 + 3 T(Y) X + 2 S{Y)T(Y) = . 



We could have considered the case A = too, that is polynomials of the form fs = X 3 + IB. 
Our experiments in genus 1 and genus 2 yield curves that are isomorphic to hyperelliptic curves 
of any genus constructed from De Moivre's polynomials given in Section 4.2. We thus do not 
study this case further. 

3.1. Genus 1 curves. 

3.1.1. Parameterization. We made a systematic study of Curves (3.2) of (generic) genus 1 as 
a function of the degree of the numerators and the denominators of the rational fraction S(Y) 
and T(Y). Results are in Tab. 1. 
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1 1 





1 1 
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Num. 
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1 



1 2 2 





1 2 2 
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Genus of Eq. (3.1) 


1 2 
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1 





1 1 1 
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Table 1. Degrees of S(Y) and T(Y) for genus 1 plane curves given by Eq. (3.2) 



The only case of interest is when S(Y) is a polynomial of degree at most 1 and T(Y) is a 
polynomial of degree at most 2. When q = 2 mod 3, these elliptic curves all have a F g -rational 
3-torsion point, coming from X = 0. 

Elliptic curves with a F g -rational 3-torsion point are known to have very fast addition formulae 
when given in "generalized" or "twisted" Hessian forms [9, 2]. Since q = 2 mod 3, we even 
restrict in the following to classical Hessian elliptic curves. 



Let us start from S(Y) 



3(y + o)/2, T(Y) 

-2 



- y/3 , that is curves of the type 

(3.3) C ,a : Y 2 + XY + aY = X 3 , a / 0, 1/27 . 

Then, the conic S 2 (Y) + T(Y) = 9/4 Y 2 + (9/2 a - 1/3) Y + 9/4 a 2 = Z 2 can be classically 
parameterized "by line" as 

12 1 2 



Y 



27 a 2 



36t-4 + 54a' 



Z 



36t 2 + (-8 + 108a)t + 81a 2 
72 1 - 8 + 108 a 



so that X = A/6 + 2Y/A where A = ^/36Y (3Y + 3a + 2Z). 

Besides, Curve (3.3) is birationally equivalent to the Hessian model 



(3.4) 



E d : x 3 + y 3 + 1 



3dxy, d ^ 1, 



with a= (d 2 + d + l)/3 (d + 2) 3 and 



( 35 ) x= 3 {d+2) 2 (Y(d + 2) + X) d 2 + d+l + 3{d+l){d + 2) 2 X + 3(d + 2) 3 Y 

3(d + 2) 2 X + d 2 + d+l' V ~ 3(d + 2) 2 X + d 2 + d+l 

The only remaining case is d = —2, that is the Hessian curve E_2 (the quadratic twist of 
the curve Eq, both have their j'-invariant equal to 0). This curve is for instance isomorphic to 
a curve of the type (3.2) with S = (1 - 7Y)/4 and T = -26 (3Y 2 + l)/27. We might use this 
to parameterize -E7_2, but it is much simplier to start from the curve Y 2 + Y = X s , which can 
be much more easily parameterized with Y = t, X = \/t 2 + 1. This curve is isomorphic to E-2 
with x = (X + l)/(X + Y),y = {-Y + X- 1)/(X + Y). 

We summarize these calculations in Algorithm 1. 

Algorithm 1: HessianEncode 

input : A Hessian elliptic curve Ed/¥ q : x 3 + y :i + 1 = 3 dxy, d ^ 1, and t 6 ¥ q . 
output: A point (xt '■ yt '■ 1) on Ed- 
it d = -2 then /* * / */ 

Y:=t;X := (t + t 2 ) 1/3ulodq - 1 ; 

x t := (X + 1)/(A + Y); y t := (-Y + X - 1)/(A + Y); 

return (xt : j/t : 1) 

a: ^ d2+d + 3 1 ; /« t ^(2d+W 2 + d+7) 

3(d + 2) 3 18(d + 2) 3 

if i = ±3a/2 then 
| Y := 0; X := 0; 
else /* Y / */ 

-a 2 17^2 



y == nt r. 7 i A : = (36 Y (2 1 + 3 a)) 1/3 mod "- 1 ; X := A/6 + 2 Y/A; 

36£ + 54a-4 



J> 



:'/< 



12 t_- 27 £T 

+1 

3 (d + 2) 2 (Y(d + 2)+X) _ 
3 (d + 2) 2 X + d 2 + d+l ' 
3 (d + 1) (d + 2) 2 A + 3 (d + 2) 3 Y + d 2 + d + 1 _ 



3 (d+2) 2 A + d 2 + d+l 
return (xt : yt '■ 1) 



Figure 1. Encoding on Hessian elliptic curves 

In addition, we have proved what follows. 

Theorem 3.1. Let ¥ q be the finite field with q elements. Suppose q odd and q = 2 mod 3. Let 
Efi/Fg be the elliptic curve defined by Eq. (S.J,.). 

Then Algorithm 1 computes a deterministic encoding e^ to Ed, from ¥* if d = —2 and from 

¥ q \ \ (2d ^( d d +2f + ^ } otherwise > in time 0(log 2+o(1) q). 

A way of quantify the number of curves defined by Eq. (3.4) is to compute their j-invariant. 
Here, we obtain 

(3.6) iEd = 27^ i + ^^- 2i + i t. 

When q = 2 mod 3, there are exactly \_q/2\ distinct such invariants. Additionally, one can 
show that there exists q — 1 distinct F g -isomorphic classes of Hessian elliptic curves (see [9] ) . 

3.1.2. Cardinality of the image. It is obvious to see that |Ime_2| = q — 1, simply because 
Y = t ^ 0. Now, determining jlme^l for d ^ 1,-2 needs some more work, but can still be 
evaluated exactly. 

Theorem 3.2. Let d ^ 1, —2, then | Im e<j| = (q + l)/2 if (d — l)/(d + 2) is a quadratic residue 
in ¥ q and | lineal = (q — l)/2 otherwise. 



Proof. Let (x : y : 1) be a point on E^, then there exists a unique point (X : Y : 1) on Co, a sent 
by Isomorphism (3.5) to (x : y : 1). 

Viewed as a polynomial in t, the equation 12 1 2 ■ 
solutions except when 27 Y 2 + (-4 + 54 a) Y + 27 a 2 



36Yt - 54Ya - 27a 2 + AY has or 2 
= 0. The latter has no root if 1 — 27 a = 



(d — 1) /(d + 2) is a quadratic non-residue, and two distinct roots denoted Yq and Y\ otherwise 
(if a = 1/27, the curve Co, a degenerates into a genus curve). 

Let us summarize when (d — 1) / (d + 2) is a quadratic residue in F„. 

(2d+l)(d 2 +d+7) 



[1 element) If t € 



18 (d+2y 



(2 elements) If t € {± f^gpr}, then e d (t) = 
(2 elements) If tj is a (double) root of 12 t 2 



, then t is not encodable by e^; 
(0 : -1 : 1); 
- (36* -4 + 54a) 3^ - 



27 a 2 with i = 0, 1, 
we obtain two distinct points e d (ij) = (x^ : y ti : 1); 

• (q — 5 elements) Else, for each remaining t, there exists exactly one other t' such that 
e<*(*) = e d (f) = (x t : yt : 1). 

We thus obtain (q — 5)/2 + 2 + 2 = (q + l)/2 distinct rational points on the curve. Similarly 
if (d — 1) / (d + 2) is a quadratic non-residue in ¥ q , we obtain (q — l)/2 distinct rational points 
on E d . 

D 

3.1.3. Related work. Compared to Icart's formulae [10], this encoding has two drawbacks of 
limited practical impact: 

• it does not work for any elliptic curves, but only for Hessian curves; 

• the subset of the curve which can be parameterized is slightly smaller than in Icart's 
case: we get ~ q/2 points against approximately 5/8#E ± X^/q. 

Nonetheless, it has three major practical advantages: 

• recovering the parameter t from a given point (x : y : 1) is much easier: we only have 
to find the roots of a degree 2 equation instead of a degree 4 one; 

• the parameter t only depends on y: we can save half of the bandwidth of a protocol by 
sending only y and not the whole point (x : y : 1); 

• yt is computable using only simple (rational) finite field operations: no exponentiation 
is required, but it carries the whole information on the encoded point . 

3.2. Genus 2 curves. 

3.2.1. Parameterizations. In the same spirit as in Section 3.1, we made a systematic study 
of Curves (3.2) of (generic) genus 2 as a function of the degree of the numerators and the 
denominators of the rational fraction S(Y) and T(Y). Results are in Tab. 2. 







Degrees 


S(Y) 


Num. 
Den. 


2 12 
12 2 2 


2 2 
1 


110 11 
10 111 


1 1 




2 







T{Y) 


Num. 
Den. 








1 1 


1111 
1110 1 


1 
2 2 



2 


1 2 2 

2 12 


Genus of Eq. (3.1) 


1111 


2 2 


11111 


2 2 


3 


1 1 1 



Table 2. Degrees of S(Y) and T(Y) for genus 2 plane curves given by Eq. (3.2) 



We can see that there are three cases of interest: 

• S(Y) and T(Y) be both a rational fraction of degree 1 ; 

• S(Y) be a rational fraction of degree 2 and T(Y) be a constant ; 



For example, we could imagine that a limited power device computes the encoded y and sends it to an other 
device specialized in curve operations, which in turn computes the associated x and realizes the group operations. 
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• S(Y) be a constant and T(Y) be a rational fraction of degree 2. 
We now study the two first cases. We omit the third one because it turns out that it yields 
curves already obtained in the second case. 

3.2.2. S(Y) and T(Y) rational fractions of degree 1. Let S(Y) = (aY + /3)/(jY + 5) and 
T(Y) = (eY + (p)/(fj,Y + u), then Curve (3.2) is birationally equivalent to curves of the form 
y 2 /d 2 = (x 3 + 3 ax + 2 c) 2 + 8 bx 3 where 

tie --ftp (aS --fj3)(fiip-ev) /3e - aip . 

a = - , 6 = -2 >c=- and d = (d/j, - 71/) . 

dfi — 71/ [dfi — 7^j 0/U — 7^ 

Many of theses curves are isomorphic to each other and, without any loss of generality, we can 
set c = 1 and d = 1. We thus finally restrict to S(Y) = -Y, T(Y) = (a 2 Y + a)/(aY + b + 1) , so 
that, when 4 o 6 6 3 - 6 3 (6 2 + 20 b - 8) a 3 + 4 6 3 (b + l) 3 / 0, Curve (3.2) is birationally equivalent 
to the Weierstrass model of a genus 2 curve, 

(3.7) H lja>b :y 2 = (x 3 + 3ax + 2) 2 + 8 bx 3 , 
with x = X and y = -4 aY + X 3 + 3 aX - 2. 

Besides, Curve 

(3.8) S 2 (Y) + T(y) = Y 2 + (a 2 Y + a)/(aY + l + b) = Z 2 
is birationally equivalent to the Weierstrass elliptic curve 

(3.9) V 2 = U 3 + (-a 6 + 2 (6 + 1)(26 - l)a 3 - (6 + l) 4 ) ^ 

+ ^(2 a 9 + 3 (2 -26 + 5 6 2 )a 6 - 6 (2 b - 1)(6 + l) 3 a 3 + 2 (6 + l) 6 ) . 

— 1 

The latter can now be parameterized with Icart's method. This yields 

1 lift t 2 1 /- 3 1 

U = aiU + T' V = a^i + T + T + (-° 6 + 2 (6 + 1)(2 6 - l)a 3 - (b + l) 4 ) 
b V t 3 bt 

with 

5 = -t 8 + (-12 (6 + l)(2fo - l)a 3 + 6a 6 + b (6 + l) 4 )t 4 + (12 (26 - 5 b 2 - 2)a 6 - 8 (6 + l) 6 
- 8 a 9 + 24 (2 6 - 1)(6 + l) 3 a 3 )t 2 + 3 (a 6 - 2 (6 + 1)(2 6 - l)a 3 + (6 + l) 4 ) 2 

Now, back by the birational change of variables between Curve (3.9) and Curve (3.8), we get Y 
and Z from U and V (cf. Algorithm 2 for precise formulae). Let now A = y/T(Y)(Z — S(Y)) , 
then X = A - T(Y)/A. 

Algorithm 2: Genus2TypelEncode 
input : A curve H 1>a ,i, defined by Eq. (3.7) on ¥ q , an element i 6 ¥ q \ Si 
output: A point (x t : yt ■ 1) on H\ ta ,b 

8 ■- -i 8 + (-12(6 + l)(2b-l)a 3 +6a 6 + 6(fe+l) 4 )t 4 + (12(2&-5& 2 - 2)a 6 - 8 (6 + l) 6 

-8 a 9 + 24 (2b- 1)(6 + l) 3 a 3 )t 2 + 3 (a 6 - 2 (6 + 1)(2 b - l)a 3 + (b + l) 4 ) 2 ; 
U := ((25/i 2 ) 1 / 3 mod '- 1 + 2t 2 )/6; 

V ■- (25i) 1/3mod9 - 1 /6 + t 3 /6 + (-a 6 + 2(6+l)(2&-l)a 3 - (6+l) 4 )/6t; 
W := -3t/a + a((fe+l) 2 +a 3 ); Y := (3 (6 + 1)U + (2b - l)a 3 - (b + 1) 3 )/W; Z :=3V/W; 
T ■- (a 2 Y + a)/(aY + b+l); A := (T(Z + F)) 1/3 mod q ~ 1 ; 
x t := A-T/A;y t :=—iaY + X 3 +3aX-2: 
return (xt : yt '■ 1) 

Figure 2. Encoding on genus 2 curves (of the type 1) 
So, we obtain the following theorem. 
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Theorem 3.3. Let ¥ q be the finite field with q elements. Suppose q odd and q = 2 mod 3. Let 
Hiab/^q be the hyperelliptic curve of genus 2 defined by Eq. (3.7). 

Then, Algorithm 2 computes a deterministic encoding ei A ^ : F* \ S — > Hi a ^, where S\ is a 

subset of¥ q of size at most 74, in time C(log +o( - ' q). 

Proof. The previous formulae define a deterministic encoding provided that t, W, aY + 6+1 
and A are not 0. 

The condition W = yields a polynomial in t of degree 8, we thus have at most 8 values for 
which W = 0. Similarly, the condition aY + 6 + 1 = yields at most 8 additional values for 
which W = 0. 

Now A = if and only if T = or Z = —Y. The condition T = yields 8 additional values. 
Similarly, the condition Z + Y = yields a polynomial in t of degree 10, we thus have in this 
case at most 18 values for which A = 0. 

The total number of field elements which cannot be encoded finally amounts to at most 35. 

□ 

3.2.3. Cardinality of the image. Let (X, Y) be a rational point on a C\ A ^^ C curve, let t be a 
possible preimage of (X,Y) by our encoding e\ a b- Then there exists a polynomial relation in 
Y and t of degree at most 8 in t (cf. Algorithm 2). Hence (X,Y) has at most 8 preimages by 
e^ a ,b- Therefore, |Imei, a ,&| > (q - 35)/8. 

3.2.4. Number of curves. Igusa invariants of these curves are equal to 

J 2 = 2 6 3(-9a 3 + 46 2 + 46-9), 

J 4 - 2 10 3(-96(4 6-15)a 3 + 4 6(6+l)(2fe 2 + 2&-27)), 

J 6 = 2 14 (729a 6 fo 2 -216fe 2 (26 2 + 3& + 2l)a 3 + 166 2 (46 2 + 4fo + 8l)(6+l) 2 ), 

J 8 = 2 18 3(-6561a 9 6 2 + 2916fe 2 (-7 + fe 2 + 13 6)a 6 

- 144 b 2 (4 fe 4 + 63 b 3 + 450 b 2 - 149 b - 810) a 3 

+64 b 2 (6 4 + 2 b 3 + 154 b 2 + 153 b - 729) (b + l) 2 ) , 
Jio = 2 28 3 6 (4a 6 6 3 -6 3 (6 2 + 206-8)a 3 + 46 3 (6+l) 3 ). 

The geometric locus of these invariants is a surface of dimension 2 given by a homogeneous 
equation of degree 90 (which is far too large to be written here). Consequently, Eq. (3.7) defines 
0(q 2 ) distinct curves over ¥ g . 

3.2.5. S(Y) be a rational fraction of degree 2. Let now S(Y) = (aY 2 + (3Y + 7) / (5Y 2 + eY + 93) 
and T(Y) = k, then Curve (3.2) is birationally equivalent to curves of the form y 2 /X = 
(x 3 + 3 fix + 2 a) 2 + 4 6 where 

X = e 2 — AifS , fj, = k , a= — (e/3 — 2 5j — 2 if a) and 6 = — (/3 2 — 4 07) — a 2 . 

A A 

Many of theses curves are isomorphic to each other and, without any loss of generality, we can 

set A and \x to be either any quadratic residues (for instance A, n = 1) or any non-quadratic 

residues (for instance X, fi = —3 because q = 2 mod 3). 

We finally arrive to 

Qfv , X(a-u)Y 2 -4:vY-4:(a+ u) 

S(Y) = MAy2 _ 4) and T(Y) = „ , 

where u = /i 3 /2w — w/2 — a for some w G F* Then, when 6 3 A 10 (^ 6 + 2p?a 2 — 2 6/u 3 + a 4 + 
2 6a 2 + 6 2 ) ^ 0, Curve (3.2) is birationally equivalent to the Weierstrass model of a genus 2 
curve, 

(3.10) H 2Xmw : y 2 /A = (x 3 + 3 fix + 2 a) 2 + 4 6 , 

where 6 = v 2 /X — u 2 for some v in F g , x = X and y = X (X 3 /2 + 3 fj.X/2 + a — u)Y — 2v. 

We may remark that computing u and w from 6 is the same as computing a point (v : w : 1) 
on the elliptic curve v 2 jX — (// 3 /2 u> — w/2 — a) 2 — 6 = 0. This can be done in deterministic time 
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from Icart's formulae when one can exhibit a Fg-rational bilinear change of variable between 
this curve and a cubic Weierstrass model, typically when A = 1 (but no more when A = —3). 

Besides, let z = w/2 + r 3 /2w and thus (u + a) 2 + r 3 = z 2 , then 

(3.11) n 2 {XY 2 - 4) 2 {S{Y) 2 + T{Y)) = -X 2 (4ua - z 2 )Y 4 - 8 Xv(a - u)Y 3 

- 8 A(4 n 3 - 3 z 2 - 2 b + 6 ua + 4 a 2 )Y 2 + 32 v(u + a)Y + 16 z 2 = Z 2 
is birationally equivalent to the Weierstrass elliptic curve 

(3.12) V 2 = U 3 + 2 8 A 2 (- /x 6 + (b - 2 a 2 )// 3 - (a 2 + 6) 2 )^/3+ 

2 12 A 3 (2/i 9 + (6 a 2 - 3% 6 - 3 (a 2 + 6)(6 - 2a 2 )/x 3 + 2 (a 2 + 6) 3 )/3 3 . 
The latter can now be parameterized with Icart's method. This yields 

U= l?M + * V = \^si + t l + 128(-/, 6 + (6-2oV " (^ + « 2 ) 2 )^ 



6 V t 2 3 ' 6 6 v ^ ^ ; ; 3t 

with 

(3.13) 5 = -t 8 + 2 9 3 ( // + (-b + 2 a 2 )/i 3 + (a 2 + 6) 2 )A 2 t 4 + 

2 14 (-2/i 9 -(6a 2 -3% 6 + 3(a 2 + o)(6-2a 2 )//-2(a 2 + 6) 3 )A 3 i 2 + 
2 16 3(/i 12 + (-2 6 + 4a 2 )/x 9 + (3 6 2 + 6a 4 )^ 6 + 2 (a 2 + 6) 2 (-6 + 2 a 2 )// 3 + (a 2 + 6) 4 )A 4 . 
Again, back by a birational change of variables between Curves (3.12) and (3.11), we get Y and Z 



from U and V (c/. Algorithm 3 for precise formulae). Let now A = \/T(Y) (Z/u(XY 2 - 4) - S(Y)) , 
then X = A - T(Y)/A . 

Algorithm 3: Genus2Type2Encode 
input : A curve H2,\,fi, a ,v,w defined by Eq. (3.10) on ¥ q , an element t £ ¥ q \ S 2 - 
output: A point (xt : J/t : 1) on H 2 ,x,^, a ,v,w 

u := -(2aw + w 2 -r 3 )/2u>; b :=v 2 /l-u 2 ;z :— (w 2 + r 3 )/2w; 
S := -t 8 + 2 9 3 ( a 6 + (-6 + 2 a 2 ) M 3 + (a 2 + 6) 2 )A 2 t 4 + 

2 14 (-2 M 9 - (6 a 2 - 3 % 6 + 3 (a 2 + 6) (6 - 2 a 2 ) M 3 - 2 (a 2 + &) 3 )A 3 i 2 + 
2 16 3( M 12 + (-2b + 4a 2 )u 9 + (36 2 +6QV + 2(a 2 + 6) 2 H+2aV+ (a 2 + 6) 4 )A 4 ; 
£/ :=((2<5/i 2 ) 1/3m ° d9_1 + 2i 2 )/6; 

V ~ {2St) 1/3 mod 9 -V6 + i 3 /6 + 128 (-// + (6 - 2 a 2 )fi 3 - (b + a 2 ) 2 )A 2 /3£; 
W ~ -9(7 2 -48A(-3z 2 - 2 6 + Qua + 4a 2 + 4 u 3 )U + 256 (-4 /j, 6 + (6 z 2 + a 2 - 12 ua + 4% 3 + 

(6 + a 2 )(5 a 2 + 6 ua - b - 3 z 2 ))A 2 ; 
y := (-288v(u + a)U -72 zV + 1536 \v(bu + a 3 -2 fi 3 u + ab + a^i 3 +ua 2 ))/W; 
Z := -{-324 zU 4 + (6912 \u 3 z + 1728 Az(-3z 2 - 2 6 + 6ua + 4a 2 ))U 3 - 2592 u(u + a)[/ 2 V 

+ (-27648 A 2 z(6 + a 2 )(2 a 2 + 6 ua - 4 6 - 3 z 2 ) + 193536 A 2 z^ 6 - 27648 A 2 z(-5 a 2 - 12 ua + 6 z 2 + 7 b)u 3 )U 2 
+ (27648 Xv(-2 u + a)/z 3 + 27648 \v(b + a 2 )(u + a))UV + (49152 A 3 z(36 a 3 u - 18 aV + 12 a 4 + 9 z 2 b + 30 6 2 
-12 a 2 6 - 18 aub)u 3 + 49152 A 3 z(-6 6 + 18 ua + 12 a 2 - 9 z 2 )^ + 49152 A 3 z(6 + a 2 ) 2 (4 a 2 + 18 ua 
-14 6 - 9 z 2 ) + 196608 X 3 n 9 z)U + (-73728 uA 2 (6 + a 2 ) 2 (u + a) - 73728 t>A 2 (4 u - 8 a)u 6 - 73728 v\ 2 
(-4 6u + 9 z 2 a - 7 a 3 - 13 ua 2 + 2 a% 3 )^ - 7340032 A*V 2 z - 262144 A 4 z(60 ua - 56 6 + 85 a 2 - 30 z 2 )^ 9 
-262144 A 4 z(6 + a 2 )(31 a 4 + 72 a 3 u - 10 a 2 6 - 36 a 2 z 2 + 18 au& + 13 6 2 - 9 z 2 b)fi 3 - 262144 X 4 z{b + a 2 ) 3 
(a 2 + 6 ua - 5 b - 3 z 2 ) - 262144 A 4 z(15 6 2 + 87a 4 - 63 a 2 z 2 + 45 z 2 6 - 90 aub - 33 a 2 6 + 126 a 3 u)u 6 )/W 2 ; 
S ■-(-u + a)Y 2 \-4vY-4a-4u;A := \J {Z - S)/(AF 2 - 4); 
Kt :=A-/u/A;jrt := A (X 3 /2 + 3^/2 + a - u) V - 2u; 
return (x t : j/j : 1) 

Figure 3 . Encoding on genus 2 curves (of the type 2) 
So, we obtain the following theorem. 



Theorem 3.4. Let ¥ q be the finite field with q elements. Suppose q odd and q = 2 mod 3. Let 
H2,\,fj,,a,v,w/^q be the hyperelliptic curve of genus 2 defined by Eq. (3.10). 

Then, Algorithm 3 computes a deterministic encoding e2 < \^ t a,v,w '■ ^q \ <^2 — > ^2,A,^,a,?;,TO? 
where S2 is a subset of¥ q of size at most 233, in time C(log + °^ ' q). 

Proof. The previous formulae defines a deterministic encoding provided that t, W, XY 2 — 4 and 
Z — S are not 0. 

The condition W = yields a polynomial in U of degree 2, we thus have at most 2 values for 
U for which W = 0. Each value of U then yields a polynomial in £, derived from 5, of degree 8. 
We thus have at most 16 values for t to avoid in this case. 

The condition XY 2 — 4 = similarly yields 2 values for Y . Each such value yields in return a 
polynomial of degree 2 in U, and degree 1 in V, which can be seen as a curve in t and r = v2£<5 
of degree at most 6. Besides r 3 = 2t5 is a curve of degree at most 9. Bezout's theorem yields 
thus a maximal number of 2 x 6 x 9 = 108 intersection points, or equivalently values for t, to 
avoid in this case. 

Finally, the condition Z = S can be seen as a curve in t and r of degree 12. Thus, this yields 
a maximal number of 12 x 9 = 108 values too. 

So, the total number of field elements which cannot be encoded finally amounts to at most 
1 + 16 + 2 x 108 = 233. 

n 

3.2.6. Cardinality of the image. Let (X,Y) be a rational point on H2,A,u,a,u,iu an d t a preimage 
by £2\,u,avw Then we have seen in the proof of Theorem 3.4 that t and r = \/2t5 are defined 
as intersection points of two curves, one of degree 6 parameterized by Y and the other one of 
degree 9 from the definition of 5. In full generality, this might yield for some curves and some 
of their points a total number of at most 54 t's. Therefore, | Imei jaj b| ^ (q — 233)/54. 

3.2.7. Number of curves. Igusa invariants of these curves are equal to 

J 2 = -2 6 3A 2 (9^ 3 + 9a 2 + 10 6), 

J 4 = 2 9 3&A 4 (297^ 3 + 54a 2 + 55&), 

J 6 = 2 14 6 2 A 6 (-6480 / u 3 + 81a 2 + 80fe), 

J 8 = -2 16 3 b 2 A 8 (31347 n e - 134136 u 3 a 2 - 158310 bu 3 + 11664 a 4 + 23940 ba 2 + 12275 b 2 ) , 

J10 = -2 2i 3 6 b 3 X w (u e + 2u 3 a 2 -2bu 3 + a' i + 2ba 2 + b 2 ). 

Here, the geometric locus of these invariants is a surface of dimension 2 given by a homogeneous 
equation of degree 30, 

11852352 J 2 5 Jio 2 + 196992 J 2 5 J 4 J 6 J10 - 362998800 J 2 3 J± Jiq 2 + 64 J 2 6 J e 3 ~ 636672 J 2 4 J 6 2 J10 

- 895349625 J 2 2 ' Js Jio 2 - 64097340625 J 10 3 - 373248 J 2 4 J 4 3 Jio - 4466016 J 2 3 J 4 2 Je Jio 

+ 2903657625 J 2 J 4 2 Jio 2 - 3984 J 2 4 J 4 J 6 3 + 606810 J 2 2 J 4 J 6 2 Jio + 3383973750 J 4 J 6 Jio 2 + 1647 J 2 3 J 6 4 

+ 49583475 J 2 J 6 3 J W + 11290752 J 2 2 J 4 4 Jio + 38072430 J 2 J 4 3 J 6 J w + 76593 J 2 2 J 4 2 J G 3 

- 115457700 J4 2 Je 2 Jio + 20196 J 2 J 4 J 6 4 - 530604 J 6 5 - 85386312 J 4 J 10 - 468512 J 4 3 J 6 3 . 

This shows that Eq. (3.10) defines 0(q 2 ) distinct curves over ¥ q . 

4. Hyperelliptic curves of any genus 

In this section, we present two families of parametric polynomials which provide deterministic 
parameterizable hyperelliptic curves of genus g ^ 2. 

4.1. Quasiquadratic polynomials. Curves of the form y 2 = f(x) where / is a family of 
solvable polynomials whatever is its constant coefficient may yield parameterizable hyperelliptic 
curves. Typically, we may consider polynomials / of degree 2, 3 or 4 or some solvable families of 
higher degree polynomials. Here, we restrict ourselves to quadratic polynomials since it yields 
non trivial hyperelliptic curves for any genus. 

We define quasiquadratic polynomials as follows. 

10 



Definition 4.1 (Quasiquadratic polynomials). Let K be a field and d be an integer coprime 
with char K. The family of quasiquadratic polynomials q a ,b(x) £ K[x] of degree 2d is defined 
for a,b £K by q a ,b( x ) = %2d + axd + b ■ 

Quasiquadratic polynomials define an easily parameterized family of hyperelliptic curves y 2 = 
q a ,b(x) (see Algorithm 4). When d does not divide q—1, these curves are isomorphic to curves 
y 2 = Qi,a(x) by the variable substitution x — > a}' d x. 



Algorithm 4: QuasiQuadraticEncode 

input : A curve H a : x ld + x d + a = y 2 , and te¥ q \ {1/2}. 
output: A point (x t : yt '■ 1) on H a 

a ~(t 2 ~a)/(l-2t); 

Xt := a 1/d ;y t := (-a + t - i 2 )/(l - 2 1); 

return (x t : yt : 1) 

Figure 4. Encoding on quasiquadratic curves 

Theorem 4.2. Let F„ 6e t/ie finite field with q elements. Suppose q ^ 2,3 and d coprime 
with q — 1. Let H a /¥ q : y 2 = x 2d + x d -\- a be an hyperelliptic curve where a is such that the 
quasiquadratic polynomial q\ A has a non-zero discriminant over¥ q . 

Algorithm 4 computes a deterministic encoding e a : F* \ {1/2} — > H a in time 0(log + °' ' q). 

Genus of H a . Let q\ A S F g LY] and H a : qi >a (%) = y 2 , where qi iU has degree 2d. We have 
requested that the discriminant of gi ja is not 0. This implies that qi >a has exactly 2d distinct 
roots. Thus H a has genus d — 1 provided H a has no singularity except at the point at infinity. 
It remains to study the points of the curve where both derivatives in x and y are simulta- 
neously 0. This implies y = 0. Thus the only singular points are the common roots of qi t a(x) 
and its derivative. Since we request that the discriminant of q\ A is not 0, there are no singular 
point. 

For d = 3, H a is the well known family of genus 2 curves with automorphism group T)\i [7]. 
The geometric locus of these curves is a one-dimensional variety in the moduli space. Moreover, 
when x — >■ x is invertible over F„, these curves all have exactly q + 1 F 9 -points (but they have 
a much better distributed number of F„2-points). 

The encoding. The parameterization is quite simple. Let H a : x + x + a = y 2 be a quasi- 
quadratic hyperelliptic curve. Setting x = a l ' d reduces the parameterization of H a to the 
parameterization of the conic a 2 + a A- a — y 2 = 0, which easily gives a = (— a + i 2 )/(l — 2t) 
and y = (—a + 1 — t 2 )/(l — 2t) for some parameter t. We finally obtain Algorithm 4. 
Cardinality of the image. 

Theorem 4.3. Given a rational point (x : y : 1) on H a : qi : a(x) = y 2 , the equation e a (t) = (x : 
y : 1) has exactly 1 solution. Thus, \ Ime a | = q—1 

Proof. Let a = x d , then t is a solution of the degree 1 equation y + a = ta/(a — 2t). 

□ 

4.2. De Moivre's polynomials. This well-known family of degree 5 polynomials was first 
introduced by De Moivre for the study of trigonometric equalities and its study in a Galoisian 
point of view was done by Borger in [4] . This definition can be easily generalized for any odd 
degree. 

Definition 4.4 (De Moivre's polynomials). Let K. be a field and d be an odd integer coprime 
with char IK. The family of De Moivre's polynomials p a ,b( x ) S K[x] of degree d is defined for 
a, b G IK by 

Pa,b(x) =x d + dax d ~ 2 + 2daV~ 4 + 3daV~ 6 + • • • + 2da^- 1 ^ 2 - 1 x 3 + da (d " 1)/2 x + b . 
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Examples. De Moivre's polynomials of degree 5 are x 5 +5ax 3 +5a 2 x+b. De Moivre's polynomials 
of degree 13 are x 13 + 13ax n + 26o 2 x 9 + 39a 3 x 7 + 39a 4 x 5 + 26a 5 x 3 + 13a 6 :r + b. 

Borger proved in [4] that De Moivre's polynomials of degree 5 are solvable by radical, the 
same is true for De Moivre's polynomials of any degree. 

Lemma 4.5 (Resolution of De Moivre's polynomials). Let p a ^ be a De Moivre's polynomial of 
degree d, let 9q and 9\ be the roots of q a j>(6) = 6 2 + W — a d , then the roots of p a ,b are 

(aj k ti + u> k v x )o<^k<d 
where (uJk)osik<d o^e the d-th roots of unity. 

Proof. As in the case of degree 5 (see [4]), we do the variable substitution x = 7 — a/7, then j d 
is a root of the polynomial q a ,b{9)- 

□ 
De Moivre's polynomials also define a family of deterministically parameterized hyperelliptic 
curves for any genus. 

Algorithm 5: DeMoivreEncode 

input : A curve H : p a ,b(x) — y 2 = 0, «o, v o £ F ? such that 4a 5 + b 2 — 2buo + u 2 , — v 2 and 

t€W*\S. 
output: A point (x t : yt '■ 1) on H 

S ~ -(3a d + b 2 +t 4 )/6t-2b 3 /27-a d b/3~t 6 /27; A ■- S 1/s mod "- 1 + t 2 /3; 

Y :=f J 4-(3a d + 6 2 + i 4 )/(6t); 

a :=3a d /(-3A + b); 

yt :=-3Y/(-3A + b);x t := a 1/dmod "- 1 + (-a d /a) 1/d mod q ~ 1 ; 

return (x t : yt '■ 1) 

Figure 5. Encoding on De Moivre's curves 

Theorem 4.6. Let ¥ q be the finite field with q elements. Suppose q odd and q = 2 mod 3 and 
d coprime with q — 1. Let H a ^/¥ q : y 2 = p a ,b{x) be the hyperelliptic curve where p a ^ is a De 
Moivre polynomial defined over ¥ q with non-zero discriminant. 

Algorithm 5 computes a deterministic encoding e a ^ : F* \ S — > H a ^, where S is a subset of 
¥ q of size at most 7, in time £?(log + °^ ' q). 

Conversely, given a point on H we study how many elements in ¥ q yield this point. 

Theorem 4.7. Given a point (x : y : 1) € H a ^(¥ q ), we can compute the solutions s of the 
equation e a f,(s) = (x : y : 1) in time 0(log + °^ 'q). There are at most 8 solutions to this 
equation. 

We give below proofs of these two theorems. 

4.2.1. Finite fields of odd characteristic. 

Genus and dimension of H a t,. As in Section 4.1, since we request the discriminant of q a ^ to be 
nonzero, there is no singularity except the point at infinity. Thus the genus of H a b is (d— l)/2. 
The encoding. Thanks to Lemma 4.5, parameterizing rational points on H a ^ : p a ,bi x ) = V 2 
amounts to finding roots of 9 2 + (b — y 2 )0 — a . Let them be a, a' , then we have x = a ' -\-oc ' , 
aol = —a and a + a' = y 2 — b. Thus a 2 — a = ay 2 — ba. This is a genus 1 curve with 
variable a,y which is birationally equivalent to Y 2 = A 3 + (—a — 3b 2 ) A + t^o 3 + ^a 6, with 
a = 3a d /(-3A + b) and y = -3Y/(-3A + b). 

This curve can be parameterized with Icart's method. This yields A = \/o + t 2 /3, Y = 
tA - {3a d + b 2 + t 4 )/6t where 6 = -53a d + b 2 + t 4 )/6t - 2 6 3 /27 - a d b/3 - t 6 /27 . We finally 
obtain Algorithm 5. 
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Restrictions. Previous necessary conditions on an encoding are also sufficient to give an encoding 
for t £ F q provided that every variable substitution is computable. 

In order to compute A and Y using the encoding from [10], we need t 7^ 0. Then computing 
y and a from A and Y we also request —3A + b ^ 0, that is 5 ^ (6/3 — t 2 /3) 3 . This amounts 
to a degree 7 equation, thus at most 7 elements of F q are not encodable. 

Complexity. Our encoding function uses one Icart's encoding, of complexity 0(log + °^ ' q) op- 
erations in F q , two exponentiations for computing d-th roots and a constant number of field 
operations. The total amounts to 0(log + °' ' q) running time. 
Computation of e~ b . Let (x : y : 1) be a point on H a ^. The polynomial f3 2 + x/3 — \J {—a d ) has 

at most two roots. Let /3 be one, and a = /3 5 . Let then A = 1 — 3(6a — 3a )/a and Y = —ya /a, 

we are reduced to finding the solutions of an Icart's encoding. It admits at most 4 solution per 

a, thus there are at most 8 solutions to the equation e a> b(t) = (x : y : 1). 

Genus 2 case. In this case we are interested in the dimension of the family of curves defined 

by De Moivre's polynomials, H : y 2 = x 5 + 5ax 3 + 5a 2 x + b. We have computed their Igusa 

invariants, 

J 2 = 700 a 2 , J 4 = 13750 a 4 , J 6 = -2500 o(3 a 5 + 32 b 2 ) , 

J 8 = -15625a 3 (3109a 5 + 896 6 2 ), J w = 800000 (4 a 5 + b 2 ) 2 , 

from which it is easy to derive numerous algebraic relations. This reduces the set of curves from 
an expected q 2 because of the two parameters a and b to a set of cardinality 0(g). 

4.2.2. Finite fields of characteristic two. The case of characteristic 2 is very similar. De Moivre's 
polynomials are solvable using the same auxiliary polynomial. A dimension 1 family of genus 2 
curves is given by p a ^{x) = y + y 2 which are also p a ,b+y+y 2 i x ) = 0- 

Algorithm 6: DeMoivreEncodeChar2 

input : A curve H : p a ,b(%) — V — y 2 — on ¥ q with q even and t £ FJ \ S. 
output: A point (xt '■ Vt '■ 1) on H 

Reduce the elliptic curve E : a 2 + y 2 a + ba + a 5 = to the Weierstrass form a 2 + ya — y 3 + cy + d; 
Encode t on E and obtain the point (at,yt); 

1/5 mod a — 1 , / 1/5 mod q — 1 

xt ■■= a t +a/a t ' ; 

return (x t : yt '■ 1)- 

Figure 6. De Moivre's encoding in even characteristic 

Theorem 4.8. Let F q be the finite field with q elements. Suppose q even, q = 2 mod 3 and let 
d odd coprime with q — 1. Let H a ^/F q : y 2 + y = p a ,b(%) be an hyperelliptic curve where p a ^ is 
a De Moivre 's polynomial defined over F q with non-zero discriminant. 

Algorithm 6 computes a deterministic encoding e a ^ '■ F* \ S — > H a ^, where S is a subset of 
F q of size at most 12, running in time 0(log + °^ > q). 

Proof. Recall that H : pa, b — y — y 2 = 0. We consider the auxiliary equation 6 2 + (b — y — 
y 2 )9 + a d = 0. Let «o be a root of this equation, then the second root is a\ = a d /ao. Suppose 
ao parameterized, then the (unique) root of our p a j } _ y _ y 2 De Moivre's polynomial is x = 
tyocQ + ^/a±. We are reduced to the problem of parameterizing y and ao . 

Remark that b — y — y 2 = ao + ai- This implies that y and ao lie on the genus 1 curve 
E : Oq + y 2 ao + bao + a 5 = 0. This curve can be easily parameterized using [10]. 

4.3. Encoding into the Jacobian of an hyperelliptic curve. Let H be a genus g hyperel- 
liptic curve defined over a finite field F q coming from the families defined in the previous sections 
3.2, 4.1 and 4.2. We provide deterministic functions en which construct rational points on H 
from elements in F q \ S, where S is a small subset of F q which depends on the definition of H. 
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In this section, we present two straightforward strategies for encoding divisors in i7ff(IF g ) the 
Jacobian of H . 

Recall that each class in Jn(¥ q ) can be uniquely represented by a reduced divisor. A divisor 
D is said to be reduced when it is a formal sum of points Ya=i Pi ~ r ^oo with r ^ g, Pi ^ —Pj 
for i ^ j and this sum is invariant under the action of the Galois group Gal(F g /F g ). 
Encoding 1-smooth reduced divisors. There is a particular subset, denoted by T>\, of reduced 
divisors which are called 1-smooth. These divisors are the ones with only rational points in their 
support. From our encoding function en, one easily deduces a function providing elements in 
T>\\ in a first step, a set of r ^ g points (none of these points in this set is the opposite of 
another one) is produced then a divisor is constructed from this set. This first step can be 
done deterministically by computing g points with e# and eliminating possible collisions after 
negation. When q is large enough, the proportion of T>\ in Ju^¥q) is ~ 1/g! moreover, since 
en is not surjective, this function may be not surjective too. If one wants to construct more 
general reduced divisors, another strategy has to be used. 

Extension of the base field and encoding. In the definition of the encoding en, we assume specific 
conditions on the base field ¥ q so that some power functions are deterministically bijective. If 
one wants to directly encode in the Jacobian of an hyperelliptic curve H defined over ¥ q , one 
can change the conditions in the following way. These specific conditions are now assumed for 
the extension field ¥ q g (and thus no more on ¥„). The function en becomes an encoding e' H 
from ¥ q g \ S' (where the set S' can be computed in the same manner as S) to the set of ¥ q g- 
rational points of H. From this new function e' H one can compute a set of k points in H(¥ q g) 
such that the sum of their degree over ¥ q is less than g. By constructing the F 9 -conjugates of 
these points and eliminating the possible collision after negation, we deduce a reduced divisor 
of J}{{¥ q )- This second strategy is more general than the former but it does not assume the 
same conditions on the field F„. 

Remark that these two encodings are clearly "weak encoding" in the sense of [6]. 

5. Conclusion and future work 

We have almost extensively studied families of genus 1 and 2 curves which admit a deter- 
ministic algebraic encoding using the resolution of a degree 3 polynomial. We come to a new 
encoding map for Hessian elliptic curves and we give, for the first time to our knowledge, en- 
coding maps for large families of genus 2 curves. We have also sketched families of higher 
genus hyperelliptic curves whose deterministic algebraic parameterization is based on solvable 
polynomials of higher degree arising from Kiimmer theory. 

On-going work is being done to extend these families to finite fields of small characteristic. A 
natural question is to generalize the method to solvable degree 5 polynomials too, in the hope 
to first find a deterministic algebraic parameterization of every genus 2 curve, then of families 
of higher genus curves. 
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